©THESTAR 2024/2025 ALL RIGHTS RESERVED 11:04PM.
Domain 2 RHIA Study Exam Questions And
Answers 2025 Update.
The legal health record for disclosure consists of:
a. Any and all protected health information data collected or used by a healthcare entity when
delivering care
b. Only the protected health information requested by an attorney for a legal proceeding
c. The data, documents, reports, and information that comprise the formal business records of
any healthcare entity that are to be utilized during legal proceedings
d. All of the data and information included in the HIPAA Designated Record Set - Answer✔c.
The data, documents, reports, and information that comprise the formal business records of
any healthcare entity that are to be utilized during legal proceedings
The concept of legal health records was created to describe the data, documents, reports, and
information that comprise the formal business record(s) of any healthcare organization that are
to be utilized during legal proceedings. Understanding legal health records requires knowledge
of not only what comprises business records used as legal health records, but also the
processes as well as the physical and electronic systems used to manage these records
John is the privacy officer at General Hospital and conducts audit trail checks as part of his job
duties. What does an audit trail check for?
a. Loss of data
b. Presence of a virus
c. Successful completion of a backup
d. Unauthorized access to a system - Answer✔d. Unauthorized access to a system
An audit trail is a chronological set of computerized records that provides evidence of a
computer system utilization (log-ins and log-outs, file accesses) used to determine security
violations
1
,©THESTAR 2024/2025 ALL RIGHTS RESERVED 11:04PM.
A professional basketball player from the local team was admitted to your facility for a
procedure. During this patient's hospital stay, access logs may need to be checked daily in order
to determine:
a. Whether access by employees is appropriate
b. If the patient is satisfied with their stay
c. If it is necessary to order prescriptions for the patient
d. Whether the care to the patient meets quality standards - Answer✔a. Whether access by
employees is appropriate
In order to maintain patient privacy, certain audits may need to be completed daily. If a
highprofile patient is currently in a facility, for example, access logs may need to be checked
daily to determine whether all access to this patient's information by the workforce is
appropriate
An outpatient laboratory routinely mails the results of health screening exams to its patients.
The lab has received numerous complaints from patients who have received another patient's
health information. Even though multiple complaints have been received, no change in process
has occurred because the error rate is low in comparison to the volume of mail that is
processed daily for the lab. How should the Privacy Officer for this healthcare entity respond to
this situation?
a. Determine why the lab results are being sent to incorrect patients and train the laboratory
staff on the HIPAA Privacy Rule
b. Fire the responsible employees
c. Do nothing, as these types of errors occur in every healthcare entity
d. Retrain the entire hospital entity because these types of errors could result in a huge fine
from the Office of Inspector General - Answer✔a. Determine why the lab results are being sent
to incorrect patients and train the laboratory staff on the HIPAA Privacy Rule
This situation must be corrected. The privacy officer should complete a process flow and
identify the areas where a breakdown in the process is resulting in a complaint of mailing the
report to the wrong patient. It is important for the covered entity to take as many precautions
as possible to ensure compliance by its workforce. Training is necessary in this situation to
mitigate this type of error
Anywhere Hospital's coding staff will be working remotely. The entity wants to ensure that they
are complying with the HIPAA Security Rule. What type of network uses a private tunnel
through the Internet as a transport medium that will allow the transmission of ePHI to occur
between the coder and the facility securely?
2
,©THESTAR 2024/2025 ALL RIGHTS RESERVED 11:04PM.
a. Intranet
b. Local area network
c. Virtual private network
d. Wide area network - Answer✔c. Virtual private network
Virtual private network (VPN) uses a secure tunnel through a public network, usually the
Internet, to connect remote sites or users. Security procedures include firewalls, encryption,
and server authentication
Mary Smith has gone to her doctor to discuss her current medical condition. What is the legal
term that best describes the type of communication that has occurred between Mary and her
physician?
a. Closed communication
b. Open communication
c. Private communication
d. Privileged communication - Answer✔d. Privileged communication
Privileged communication is a legal concept designed to protect the confidentiality between
two parties and is usually delineated by state law
An individual designated as an inpatient coder may have access to an electronic medical record
in order to code the record. Under what access security mechanism is the coder allowed access
to the system?
a. Context-based
b. Role-based
c. Situation-based
d. User-based - Answer✔b. Role-based
Role-based access control (RBAC) is a control system in which access decisions are based on the
roles of individual users as part of an organization (
Which of the following statements about a firewall is false?
a. It is a system or combination of systems that supports an access control policy between two
networks.
3
, ©THESTAR 2024/2025 ALL RIGHTS RESERVED 11:04PM.
b. The most common place to find a firewall is between the healthcare entity's internal network
and the Internet.
c. Firewalls are effective for preventing all types of attacks on a healthcare system.
d. A firewall can limit internal users from accessing various portions of the Internet. -
Answer✔c. Firewalls are effective for preventing all types of attacks on a healthcare system.
As important as firewalls are to the overall security of health information systems, they cannot
protect a system from all types of attacks
A dietary department donated its old microcomputer to a school. Some old patient data were
still on the microcomputer. What controls would have minimized this security breach?
a. Access controls
b. Device and media controls
c. Facility access controls
d. Workstation controls - Answer✔b. Device and media controls
HIPAA requires the implementation of policies and procedures for the removal of hardware and
electronic media that contain ePHI into and out of a facility. There are four implementation
specifications within this standard: disposal, media reuse, accountability, and data backup and
storage. In this case the organization did not follow policies for the removal of hardware and
electronic media
he Privacy Rule generally requires documentation related to its requirements to be retained:
a. 3 years
b. 5 years
c. 6 years
d. 10 years - Answer✔c. 6 years
The Privacy Rule uses six years as the period for which Privacy Rule-related documents must be
retained. The six-year time frame refers to the latter of the following: the date the document
was created or the last effective date of the document. Such documents include policies and
procedures, the notice of privacy practices (NPP), complaint dispositions, and other actions,
activities, and designations that must be documented per Privacy Rule requirements
Mrs. Davis is preparing to undergo hernia repair surgery at Deaconess Hospital. Select the best
statement of the following options.
4
Domain 2 RHIA Study Exam Questions And
Answers 2025 Update.
The legal health record for disclosure consists of:
a. Any and all protected health information data collected or used by a healthcare entity when
delivering care
b. Only the protected health information requested by an attorney for a legal proceeding
c. The data, documents, reports, and information that comprise the formal business records of
any healthcare entity that are to be utilized during legal proceedings
d. All of the data and information included in the HIPAA Designated Record Set - Answer✔c.
The data, documents, reports, and information that comprise the formal business records of
any healthcare entity that are to be utilized during legal proceedings
The concept of legal health records was created to describe the data, documents, reports, and
information that comprise the formal business record(s) of any healthcare organization that are
to be utilized during legal proceedings. Understanding legal health records requires knowledge
of not only what comprises business records used as legal health records, but also the
processes as well as the physical and electronic systems used to manage these records
John is the privacy officer at General Hospital and conducts audit trail checks as part of his job
duties. What does an audit trail check for?
a. Loss of data
b. Presence of a virus
c. Successful completion of a backup
d. Unauthorized access to a system - Answer✔d. Unauthorized access to a system
An audit trail is a chronological set of computerized records that provides evidence of a
computer system utilization (log-ins and log-outs, file accesses) used to determine security
violations
1
,©THESTAR 2024/2025 ALL RIGHTS RESERVED 11:04PM.
A professional basketball player from the local team was admitted to your facility for a
procedure. During this patient's hospital stay, access logs may need to be checked daily in order
to determine:
a. Whether access by employees is appropriate
b. If the patient is satisfied with their stay
c. If it is necessary to order prescriptions for the patient
d. Whether the care to the patient meets quality standards - Answer✔a. Whether access by
employees is appropriate
In order to maintain patient privacy, certain audits may need to be completed daily. If a
highprofile patient is currently in a facility, for example, access logs may need to be checked
daily to determine whether all access to this patient's information by the workforce is
appropriate
An outpatient laboratory routinely mails the results of health screening exams to its patients.
The lab has received numerous complaints from patients who have received another patient's
health information. Even though multiple complaints have been received, no change in process
has occurred because the error rate is low in comparison to the volume of mail that is
processed daily for the lab. How should the Privacy Officer for this healthcare entity respond to
this situation?
a. Determine why the lab results are being sent to incorrect patients and train the laboratory
staff on the HIPAA Privacy Rule
b. Fire the responsible employees
c. Do nothing, as these types of errors occur in every healthcare entity
d. Retrain the entire hospital entity because these types of errors could result in a huge fine
from the Office of Inspector General - Answer✔a. Determine why the lab results are being sent
to incorrect patients and train the laboratory staff on the HIPAA Privacy Rule
This situation must be corrected. The privacy officer should complete a process flow and
identify the areas where a breakdown in the process is resulting in a complaint of mailing the
report to the wrong patient. It is important for the covered entity to take as many precautions
as possible to ensure compliance by its workforce. Training is necessary in this situation to
mitigate this type of error
Anywhere Hospital's coding staff will be working remotely. The entity wants to ensure that they
are complying with the HIPAA Security Rule. What type of network uses a private tunnel
through the Internet as a transport medium that will allow the transmission of ePHI to occur
between the coder and the facility securely?
2
,©THESTAR 2024/2025 ALL RIGHTS RESERVED 11:04PM.
a. Intranet
b. Local area network
c. Virtual private network
d. Wide area network - Answer✔c. Virtual private network
Virtual private network (VPN) uses a secure tunnel through a public network, usually the
Internet, to connect remote sites or users. Security procedures include firewalls, encryption,
and server authentication
Mary Smith has gone to her doctor to discuss her current medical condition. What is the legal
term that best describes the type of communication that has occurred between Mary and her
physician?
a. Closed communication
b. Open communication
c. Private communication
d. Privileged communication - Answer✔d. Privileged communication
Privileged communication is a legal concept designed to protect the confidentiality between
two parties and is usually delineated by state law
An individual designated as an inpatient coder may have access to an electronic medical record
in order to code the record. Under what access security mechanism is the coder allowed access
to the system?
a. Context-based
b. Role-based
c. Situation-based
d. User-based - Answer✔b. Role-based
Role-based access control (RBAC) is a control system in which access decisions are based on the
roles of individual users as part of an organization (
Which of the following statements about a firewall is false?
a. It is a system or combination of systems that supports an access control policy between two
networks.
3
, ©THESTAR 2024/2025 ALL RIGHTS RESERVED 11:04PM.
b. The most common place to find a firewall is between the healthcare entity's internal network
and the Internet.
c. Firewalls are effective for preventing all types of attacks on a healthcare system.
d. A firewall can limit internal users from accessing various portions of the Internet. -
Answer✔c. Firewalls are effective for preventing all types of attacks on a healthcare system.
As important as firewalls are to the overall security of health information systems, they cannot
protect a system from all types of attacks
A dietary department donated its old microcomputer to a school. Some old patient data were
still on the microcomputer. What controls would have minimized this security breach?
a. Access controls
b. Device and media controls
c. Facility access controls
d. Workstation controls - Answer✔b. Device and media controls
HIPAA requires the implementation of policies and procedures for the removal of hardware and
electronic media that contain ePHI into and out of a facility. There are four implementation
specifications within this standard: disposal, media reuse, accountability, and data backup and
storage. In this case the organization did not follow policies for the removal of hardware and
electronic media
he Privacy Rule generally requires documentation related to its requirements to be retained:
a. 3 years
b. 5 years
c. 6 years
d. 10 years - Answer✔c. 6 years
The Privacy Rule uses six years as the period for which Privacy Rule-related documents must be
retained. The six-year time frame refers to the latter of the following: the date the document
was created or the last effective date of the document. Such documents include policies and
procedures, the notice of privacy practices (NPP), complaint dispositions, and other actions,
activities, and designations that must be documented per Privacy Rule requirements
Mrs. Davis is preparing to undergo hernia repair surgery at Deaconess Hospital. Select the best
statement of the following options.
4
